A look at the XI security model, focusing on new features in XI 3.0:
- Custom access levels
- Ability to assign more than one access level
- Ability to selectively choose whether a given right "cascades" or not
- More granularity by specific document types

The new features enable a robust "building blocks" approach to security that makes security managable by "meremortals." The download includes an Excel spreadsheet that lists every possible individual right (nearly 1,300 of them), categorized by the object to which they apply. Very useful in drafting / maintaining your own security matrix.

For those attending my presentation, I left out one "cool" use of the cascading / non-cascading feature that can now be applied to individual rights. In previous releases, when a developer was given broad rights over a folder, the could not only add / change / delete objects within the folder, but they could also DELETE THE FOLDER ITSELF!

With XI 3.0, you can set the delete right to apply ONLY to sub-objects. That way they can delete objects, sub-folders, etc., but NOT the object (folder) itself!_________________Dwayne Hoffpauir
Image link

this is fantastic - thanks Dwayne!_________________Working in LondonCurrently Webi & Universe Designer XIr3 with InfoBurst
The past is history, the future's a mystery and this moment's a gift. That's why it's called the present....

I attended and I really wanted to have a chat with you concerning some of your recommendations that I personnaly don't make next time!_________________Welcome Sathish RajagopalBI4.3: Back to the future
BO or BOBJ� that is the question

As per security matrix in your presentation , do i need to create 50*3 =150 groups to acheive the security?

You should be able to create 53 groups (50+3). Then make any given user a member of two groups ... one client group, and one "kind" group.

Such a good advice! Thanks

Is this only true when a user is always a "kind" of user? For instance, in a scenario with three kinds of users: Advanced, Medium, General and Two Groups: HR and Sales.

In your scenario there would be 5 groups. Let's say User: Bob is an Advanced User for the HR Group.

He would be placed in the "Advanced" group and the "HR" group. Later on, Bob also needs view only access to the "Sales" group. Due to security requirements, he is not allowed to be an advanced user of the Sales group.

Adding BOB to the "Sales" group while he is already in the "Advanced" group and the "HR" group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?

edit: without using overrides or individual user level security for Bob.

I just don't understand something :
In the 3.1 matrix I understood that, we should better "play" with the different customised access level, and then apply those levels for a group in order them to have rights on folder or applications.

so a user belongs to a group

instead of :
creating groups with their rights on folders
creating groups with their rights on application

so a user belongs to 2 groups.

And following the questions upper, the solution proposed by Dwayne is the second one : a user belongs to 2 groups

Adding BOB to the "Sales" group while he is already in the "Advanced" group and the "HR" group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?

Still wouldn't help. Application rights are NOT applied to content folders. The only solution is two different user ID's.

That is correct for content folders. However, what about Universe folders? Setting "Not Specified" for the edit/delete permissions seem to effectively limit what these "mixed" users could do with the universes contained in the folders. I will try to post a real example tomorrow.

Adding BOB to the "Sales" group while he is already in the "Advanced" group and the "HR" group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?

Still wouldn't help. Application rights are NOT applied to content folders. The only solution is two different user ID's.

That is correct for content folders. However, what about Universe folders? Setting "Not Specified" for the edit/delete permissions seem to effectively limit what these "mixed" users could do with the universes contained in the folders. I will try to post a real example tomorrow.

Let's see. I took your requirement against "give him too much access" rather literally I guess. I should ask, which application rights are the concern? Report authoring rights (DeskI, WebI), Designer rights, other? There is an individual right that can be applied to universes to allow data provider create / edit against that universe. It is the ONLY exception that I know of where what is essentially an application right is applied to content (documents, universes, etc.)._________________Dwayne Hoffpauir
Image link

Hi ! must we always create rights for application AND rights for content.
Or is it possible to imagine that the ones who will refresh have all the same rights and can only access their folder and then refresh a webi document and so, we create a right "refresh", then
we create "accounting group" and apply the "refresh" right on the universe, connection, folder in relation with accounting, and the apply the same right "refresh" on application WebIntelligence

Then if there is the same behaviour on "sales group", we apply the same "refresh" right for the sales group, on sales folder, etc.